Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
02/02/2024, 18:40
Behavioral task
behavioral1
Sample
8a40e729cf33d06ed1fdd3ea5260d195.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
8a40e729cf33d06ed1fdd3ea5260d195.exe
Resource
win10v2004-20231222-en
General
-
Target
8a40e729cf33d06ed1fdd3ea5260d195.exe
-
Size
2.9MB
-
MD5
8a40e729cf33d06ed1fdd3ea5260d195
-
SHA1
9fa9fc6842ec77087cef3db536697cdb6cdaa913
-
SHA256
5b714887317eca02f7aaa57e97c8d46ac1025e07c6b82c0d7e544baf51f6914d
-
SHA512
10a9decd70b90d4697efab02773da00b38f48d23c21807e214a33833fd6916c0c29ad757abd48077ba1b434a5484b8cbdeb38f9e81834aef34f8cab993a6ae7d
-
SSDEEP
49152:5L3b20S3MjtZGFyIAQc0aMZ4sUgCqKSP4M338dB2IBlGuuDVUsdxxjeQZwxPYRKs:5P2N3Mjt4FY0aMJUnqjgg3gnl/IVUs1h
Malware Config
Extracted
gozi
Signatures
-
Deletes itself 1 IoCs
pid Process 3012 8a40e729cf33d06ed1fdd3ea5260d195.exe -
Executes dropped EXE 1 IoCs
pid Process 3012 8a40e729cf33d06ed1fdd3ea5260d195.exe -
Loads dropped DLL 1 IoCs
pid Process 1384 8a40e729cf33d06ed1fdd3ea5260d195.exe -
resource yara_rule behavioral1/memory/1384-0-0x0000000000400000-0x00000000008EF000-memory.dmp upx behavioral1/files/0x000800000000b529-13.dat upx behavioral1/files/0x000800000000b529-10.dat upx behavioral1/memory/3012-17-0x0000000000400000-0x00000000008EF000-memory.dmp upx -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1384 8a40e729cf33d06ed1fdd3ea5260d195.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 1384 8a40e729cf33d06ed1fdd3ea5260d195.exe 3012 8a40e729cf33d06ed1fdd3ea5260d195.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1384 wrote to memory of 3012 1384 8a40e729cf33d06ed1fdd3ea5260d195.exe 28 PID 1384 wrote to memory of 3012 1384 8a40e729cf33d06ed1fdd3ea5260d195.exe 28 PID 1384 wrote to memory of 3012 1384 8a40e729cf33d06ed1fdd3ea5260d195.exe 28 PID 1384 wrote to memory of 3012 1384 8a40e729cf33d06ed1fdd3ea5260d195.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\8a40e729cf33d06ed1fdd3ea5260d195.exe"C:\Users\Admin\AppData\Local\Temp\8a40e729cf33d06ed1fdd3ea5260d195.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Users\Admin\AppData\Local\Temp\8a40e729cf33d06ed1fdd3ea5260d195.exeC:\Users\Admin\AppData\Local\Temp\8a40e729cf33d06ed1fdd3ea5260d195.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:3012
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.6MB
MD51169927a79010c2c860bc2541c7069ed
SHA198f9bde65d565b67e2835d559e3f96cd902476b5
SHA256043877c9885983462fc23bbad4279050b8a038b35d356b62376958427148cc64
SHA512149e2165adb365d522ac0921a39864b684ac8fa43920bb8da7166780718c29bcaf2843033602a775482998d7f27a05fe85f41a50bfca618fe78321313e9f919c
-
Filesize
1.6MB
MD5751ffff729f9dfac9bdd366d6b786369
SHA1c6b5b98ed294100f5f09c9efbde9dc3ffbe907a0
SHA25658315cc0304e966b480733d8ba8a24d31cebf3f428a8952043187124364accea
SHA51259389fe8d8dcc67f274699e17967c4fdd9eeab604a2711ae34d0ee00555265d3f3e22d9d3af75374bbbbc98ee6398cb4d531b325a4d827f40240383c8001f060